1. Field of the Invention
The present invention relates to computer network authentication services. Specifically, the invention relates to apparatus, methods, and systems for providing disconnected validation of login credentials.
2. Description of the Related Art
In recent years, computer networks have been increasingly significant in terms of the quantity and sensitivity of the data communicated. Once used primarily for academic purposes, the Internet has become a vehicle for communicating such confidential information as credit card transactions, bank account transactions, and corporate intellectual property. The same applies to proprietary corporate networks. As the quantity and value of the data being communicated has increased, the threats to the security of this data have increased proportionately.
One of the technologies developed to address data security threats is Kerberos authentication. Kerberos provides a means for secure authentication of a user's credentials as well as means to protect sensitive data communicated across an insecure network. Kerberos authentication relies on the existence of a Kerberos server that certifies a user's identity to network services utilized by an application the user is running. Services that use Kerberos to authenticate users are said to be “Kerberized.”
While the need for security has increased, so has the need for flexibility. Users are increasingly mobile and may access network services through a variety of locations and devices. Networks are increasing in size and complexity and are often in a state of flux and change. Such size and flexibility provides challenges to network security and reliability. For example, changes in policy or accounts must be effected across larger networks and a greater number of devices. Furthermore, an authentication server such as a Kerberos server may be temporarily inaccessible to some or all of a network resulting in a need for “disconnected” authentication of a user.
While various solutions for disconnected authentication have been developed, such solutions typically require at least one previous login by the user at a particular device at a time that the authentication server is accessible. Such a requirement is impractical given the sheer number of networked devices and the frequency of changes in network configuration and login accounts.
Given the issues and challenges related to providing authentication services and the shortcomings of currently available solutions, a need exists for an apparatus, method, and system to validate login credentials of a user or group member without requiring a previous login from a particular device or immediate access to an authentication server.